Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

However – this wont work across reboots. The consolidator Condition Detection that keeps a count of multiple events across time is handled in memory, on the agent. If the agent service or server is restarted – we lose the count because the workflow must reinitialize.

One way to handle this is via a script write action. Essentially – a reboot is typically detected via a 6009 event in the SYSTEM log. (Dirty shutdowns can be detected via 6008 event and you should already be monitoring for these) However – in this example we don’t want an alert on every normal reboot. We only want to know if a server is rebooted multiple times in a specific time period.

We can accomplish this via two rules.

One rule will use an Event datasource, but instead of alerting – we will execute a script WriteAction as the response to the event. The script is a simple VBscript that looks in the system log for a specific duration of time, and counts the number of matching events.

The script is very simple: You can reuse this just change the event ID, count, and time you want at the top. You might also need to customize the events created by LogScriptEvent to suit your needs and provide a good message for the alert.